Remember earlier this month when Adobe revealed that someone had hacked the software giant’s servers and stolen info on 2.9 million customers? It turns out the leak was significantly larger - by over an order of magnitude, in fact.
Brian Krebs of Krebs on Security is now saying that the leak has impacted at least 38 million users, a group 13 times as large as previously announced. And that's not all.
Besides the hacked accounts, Krebs' sources at Adobe are saying that the hackers made off with some or all of the source code for Photoshop. This is in addition to the massive (over 40GB) amount of source code already uncovered, including source code for Acrobat, Cold Fusion, Adobe's web app platform, and Reader.
Yes, someone made off with a copy of the source code for a PDF reading app that has grown uglier and less useful with each release. If we are lucky the hackers might be planning to release a new and improved version of the app.
Over the weekend AnonNews.org posted a 3.8 GB file online that Krebs says looks identical to the stash of stolen Adobe info he stumbled upon earlier this month. It contains more than 150 million username and hashed password pairs, raising serious questions just how many accounts were compromised.
Adobe has been contacting all the customers that might have been affected with a warning and a request that passwords be changed. Pretty much everyone who has bought an ebook with Adobe DE DRM got that email, including me.
They have also offered a free year of credit monitoring for any customer whose credit card info may have been stolen. Of course, this offer is only good via Experian, which has its own history of selling consumer info to an online identity theft service.
The latest word from Adobe is that there was no sign that there has been any unauthorized activity on any Adobe ID involved in the incident. “So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” Adobe spokesperson Heather Edell said. “We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.”
The investigation is continuing, so the number of affected users could still grow.